We develop a Java web application. One of the application abilities is to communicate with other web services (like Google calendar) using a credentials supplied by the user.
We are not sure about the way to protect this credentials. Currently we are encrypting th开发者_Python百科e passwords and saving the encryption output in the DB.
The encryption key is store in Java KeyStore. The KeyStore password is being passed as System Property to the JVM. This is the weak link of the chain - the KS password is available in the loading script.
Is there best practice out there that gives complete solution to this problem?
Don't even try to save user's credentials. Use oAuth to authenticate the app for every user like explained here.
精彩评论